European Digital Sovereignty is on everyone’s lips. European governments are making their intentions clear, with EU Member States signing the Declaration for European Digital Sovereignty, setting out landmark commitments to reduce Europe’s dependence on a small number of global platforms and to invest in trusted European infrastructures. Industry events have been popping up everywhere and governments are working hard to share knowledge and try to crack the problem. Open Source and Digital Commons are cornerstones of the solution , and the launch of the Digital Commons EDIC last Thursday in the Hague is a good example of the work being done.
But what is Digital Sovereignty, why is it important and why are Open Source and Digital Commons so central to it?
Early Stages
The idea of Digital Sovereignty has been lingering for a while in Europe, initially under the form of data sovereignty. As early as 2009 some countries, and organisations such as the French Gendarmerie, started either mandating or recommending open source software, or at least looking for the ability to host locally. But the term wasn't clearly coined until 2013, when Edward Snowden pointed out to the general public that global surveillance was very much alive, and facilitated by the black box of proprietary software controlled or compromised by assorted intelligence agencies. These documents prompted a cultural discussion about national security and individual privacy, which led to the European Commission to launch the EU Digital Strategy in 2020. Since then, everything has accelerated dramatically - especially against the backdrop of a rapidly changing geopolitical landscape.
The Acceleration
The Snowden leaks were just a start, sparking realisations and concerns around routine surveillance. Key events followed which have shone even a stronger light on the need for Digital Sovereignty, and further supported by the trend of developments kicked off by EU legislation.
As time went on, users, in particular governments, realised that as useful as the Cloud is, there may be something to be said about where the data is located and who is controlling it. And, further to that, the growing realisation that having a handful of foreign private companies (sometimes with a balance sheet bigger than some countries) holding your communications and data is far from ideal. And eventually, the recognition that being locked to a given vendor, wherever they’re based, is a problem, again in particular if you are a government.
Second, against this background of rising understanding and awareness, a few key events took place:
In February 2022, Russia invaded Ukraine and started to try to physically cut off Ukraine’s communication links to the rest of the world. The entire country had to become self-sufficient overnight for all its communications, at risk of losing all access to the internet.
In February 2024, high ranking German officers discussed sensitive information about their plans to support Ukraine, which was infiltrated by a third party joining a Webex call, and was eventually picked up by the media.
In February 2025, Donald Trump signed an Executive Order, formally authorizing sanctions against the International Criminal Court (ICC) based in The Hague. The order followed the ICC opening investigations and issuing arrest warrants for Israeli officials on war crimes and crimes against humanity related to the conflict in Gaza. The order targeted the ICC and individuals involved in investigations, and beyond direct sanctions towards them, also threatened to sanction any individual or organisation who “materially assisted, sponsored or provided financial, material or technological support to the Court’s activities”. This resulted in some American companies like Microsoft stopping providing services to the ICC anymore, forcing the teams to move to non-American third party solutions to be able to do their day job.
In March 2025, high-ranking members of the US national security apparatus used the encrypted messaging app Signal to discuss a planned military operation. A journalist was added by mistake to the chat, who went on to publish the ‘Signalgate’ scandal.
So let’s face it, it was hard to ignore the signs, screaming that better security and sovereignty was required.
But we’re here now, and most of the countries have realised that when it comes to their data and digital life, there are three questions they should be able to answer:
1. Am I protected against bad actors?
2. Can my government operate if I was the only country in the world?
3. Am I truly independent?
In other words, three things are non-negotiable for true Digital Sovereignty: you need security, resilience and freedom of choice ⇒ open source is the answer.
Learning the hard way
Around 10 years ago, when we started going around saying that, maybe it wasn’t ideal for a couple of big private companies to be holding the world’s communication hostage, and maybe we should look again at a different model for instant messaging, potentially something similar to email… people looked at us like we were mad scientists.
And yet here we are, 10 years later, with over 185 million users in the public network and countless public sector organisations using Matrix, from cities like Echirolles in France or Ghent in Belgium, to entire governments like France, Germany, and Sweden, as well as organisations like the UN and the European Commission.
All of these have converged on Matrix for their communications, because it is an open standard, managed by a not-for-profit Foundation, providing end-to-end encrypted communications, with the ability to choose:
- How and where to run it
- The app you choose to access it (maybe your own)
- The vendor that supplies it (if any)
- And the ability to connect to other organisations who use apps built on Matrix
We have reached the point where European governments naturally converge to it, and the European Commission recommends it: Matrix has become the standard for secure and sovereign communication in Europe.
But to get here we did spend a fair share of time trying to explain why security, resilience and freedom of choice are critical, and why open source is the only way to check all the boxes of Digital Sovereignty. We also spent countless hours trying to explain what the right ways to support and buy open source are, in particular to public sector organisations, which allowed us to build a catalogue of “wrong solutions”, alongside a list of best practices. Here is an overview.
Wrong solutions, or “what not to do”
Here is a non-exhaustive list of bad answers to “are you really Digitally Sovereign” that we keep hearing again and again:
“I am Digitally Sovereign because I use the proprietary ‘Sovereign’ solution of a big foreign corporation, hosted in my country.”
Well, that doesn’t really work because:
- The corporation is subject to foreign control
- You are locked to one vendor
- It requires connection to the rest of the internet
- There probably is no way to audit
- It can probably only be run in the vendors’ data center (no on-premise or sovereign cloud)
“I am Digitally Sovereign because I use a proprietary solution developed by a local company.”
Again, this ignores the fact that:
- You are still locked to one vendor
- There probably is no way to audit
- There is no guarantee it can run in your data center (no on-premise or sovereign cloud)
“I am Digitally Sovereign because I will develop everything from scratch myself.”
Technically you probably are BUT:
- You will need years to build it
- You will need a multi-million yearly budget and a team of specialists (devs, product, security, design, QA, SRE…) to build and maintain it
- Is that really the core mission of your organisation?
“I am Digitally Sovereign because I have picked up an open source project, customised it internally or funded feature development and I run it myself.”
However:
- You are dependent on the original developer to continue to work for free: what happens if they disappear?
- You will still need a multi-million yearly budget to build and maintain it
- Is that really the core mission of your organisation?
“I am Digitally Sovereign because I have bought from a local integrator who will customise and run an app based on an open source project.”
Again:
- You are dependent on the original developer to continue to work for free: what happens if they disappear?
- Also: have you run a due diligence on their expertise?
So is there no solution then? Thankfully there is!
The Right Solution (or “Best practices to buy open source”)
To be digitally Sovereign, you need to use open source to avoid vendor-lock, but you also need to:
- Buy from a vendor
→ it supports the industry, makes the software available for the private sector too (and it’s not your mission to develop products!) - Ensure it’s part of a multi-vendor ecosystem
→ or you will be vendor-locked again - Ensure the vendor has some level of expertise
→ you need someone who can really support you - Mandate that the vendor sustainably supports the upstream project
→ it’s one line in a tender that will make the difference between sustainability and failure. - Buy via a recurring fee
→ pay for what you use to keep it free; feature funding doesn’t pay for maintenance and security work!
If all these boxes are checked, then you can be ensured that you are Digitally Sovereign, that the industry is supported, the community able to grow, and the upstream project can improve, evolve, stay secure and maintained.
A good way to think of it and enforce it is to mandate that public sector organisations actually perform due diligence on suppliers before acquisition. The OSBA (Open Source Business Alliance), has conveniently put together a list of 4 Qualification Requests which allow to qualify whether a supplier is a good player of the ecosystem:
- Relationship with the Software Manufacturer / Community
- Ensuring Upstream Publication of Modifications and Patches
- Ensuring High-Quality Level 3 Support
- Securing the Supply Chain Through Support for Core Components
These form an excellent framework for sustainably procuring open source and attaining true Digital Sovereignty.
What about vendors?
Vendors need to act too. It’s time to step up and speak out, and ask for what you need. This starts with education:
- Talk to procurement
- Use your champions to relay your position, they want to help!
- Use your social channels and the media to highlight failures due to freeriding
- Otherwise you are at risk of seeing the freeriding integrator blaming your project for their failures.
- Refuse unsustainable business models (if you can)
- One-off revenue is better than going bankrupt, but you must prioritise recurring revenue to fund maintenance.
And ensure you monetise as carefully as possible. We don’t like paywalls in open source, but they are important when it’s a matter of life or death for funding your work. There is scope to monetise without hindering the community, while pushing organisations relying professionally on the product to financially support it. For example:
- Paywall your expertise
- Leverage regulations and certifications (eg SBOMs for CRA)
- Paywall features that prioritise organisations over end-users (in open core models)
- Restrict who can use trademarks to help encourage folks to procure from the right upstream
In short
Awareness of the need for Digital Sovereignty is stronger than ever. Only open source provides true Digital Sovereignty, so governments can continue running and maintaining it, come what may. However, not under any condition.
Organisations valuing Digital Sovereignty should only buy solutions which are:
- Open source
- Come from a multi-vendor ecosystem
- From vendors which can be trusted and support the upstream open source project, financially and sustainably
And as vendors, we should continue to speak out, educate organisations on the topic and ask for what we need!
Meanwhile, we will be releasing several videos over the next few weeks where I will be getting in the details of Building and Sustaining Open Source Impact: “how open source business owners and corporate users can drive the change”. This sort of content is a good way for European Open Source Academy members to share the knowledge they’ve built up in order to increase the adoption and accessibility of open source practices. So tune in and subscribe to our YouTube Channel and get even more details about open source and how it can support Digital Sovereignty!
For more updates on Academy activities, make sure to follow us on : Mastodon, LinkedIn and Bluesky
Watch the first Masterclass Episode
